Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - EddieA

Pages: 1 [2] 3 4 5
16
Installation and Upgrades / Cannot Restore Backup Configuration
« on: October 01, 2013, 09:48:40 pm »
I'm not sure if this is a supported way of upgrading, but for testing 3.2 I installed a new copy under VMWare and tried to restore a configuration backup from my live 3.0 version which is fully up to date.  The restore comes up with the confirmation pop-up asking if this is what I want to restore, but there is no OK button to continue.

Cheers.

17
Installation and Upgrades / Re: Is there a hook for route table
« on: September 29, 2013, 03:49:02 am »
OK, it's taken 18 days of up-time before this happened again and the route/ip route entries disappeared.  Unfortunately, the network postservice hook was not called as neither the Zentyal created entry nor my echo were recorded in the zentyal.log.

Following this, because of some updates I did a reboot.  As part of that reboot, I see both the network and firewall postservice hooks being called.
Code: [Select]
2013/09/28 18:03:58 INFO> Base.pm:905 EBox::Module::Base::_hook - Running hook: /etc/zentyal/hooks/firewall.postservice 1
Sat Sep 28 18:03:58 PDT 2013   Firewall postservice ran
2013/09/28 18:03:58 INFO> Service.pm:949 EBox::Module::Service::restartService - Restarting service for module: firewall
2013/09/28 18:04:00 INFO> Base.pm:905 EBox::Module::Base::_hook - Running hook: /etc/zentyal/hooks/firewall.postservice 1
Sat Sep 28 18:04:00 PDT 2013   Firewall postservice ran
However, at the end of the reboot, again the route/ip route entries are not present.  By means of an "ip rule list" I can see that my rule was added to the list, but it now contains no entries.  So, something later in the boot sequence, following the network postservice hook re-wrote the route/ip route tables wiping my entries out.

I also checked the log for (Re)Starting services, but can find none indicated between the last know point the entries were present, and the time I noticed them gone.  In fact, these are the only zentyal.log entries in that time frame:
Code: [Select]
2013/09/28 00:50:05 ERROR> Sudo.pm:127 EBox::Sudo::_commandError -  nice john --
show /var/lib/zentyal/conf/remoteservices/john/ssupl.jtrf failed.
Error output: nice: john: No such file or directory

Command output: .
Exit value: 127
2013/09/28 03:00:05 INFO> Backup.pm:743 EBox::Backup::makeBackup - Backing up configuration
2013/09/28 03:00:20 WARN> WebServer.pm:761 EBox::WebServer::dumpConfig - /etc/apache2/sites-available/ has not custom configuration dirs. Skipping them for the backup
2013/09/28 03:00:20 INFO> backup-tool:356 main::__ANON__ - Backing up files to destination: try 1
2013/09/28 03:01:15 INFO> backup-tool:554 main::__ANON__ - Backup process finished successfuly
2013/09/28 03:01:15 INFO> EventDaemon.pm:317 EBox::EventDaemon::__ANON__ - Send event to EBox::Event::Dispatcher::Log=HASH(0x4e7af30)
2013/09/28 03:01:15 WARN> EventDaemon.pm:243 EBox::EventDaemon::__ANON__ - Cannot log event, Mysql is stopped
2013/09/28 07:10:31 INFO> notify-job:62 EBox::RemoteServices::Job::Notifier::__ANON__ - Job 12 finished with exit value 0 CC will be notified
2013/09/28 07:10:44 INFO> notify-job:62 EBox::RemoteServices::Job::Notifier::__ANON__ - Job 5 finished with exit value 0 CC will be notified
So, any further ideas about what is wiping the route/ip route entries, and how I can either stop this, or re-create them following.

Cheers.

18
Installation and Upgrades / Re: Is there a hook for route table
« on: September 05, 2013, 10:08:43 pm »
Yeah, I'll try.  But as I said I'm not sure under what circumstances the route table gets re-written.  Maybe I'll add a log entry in my hook, so I can verify if it runs.

Cheers.

19
Installation and Upgrades / Is there a hook for route table
« on: September 04, 2013, 03:58:34 am »
Hi,

I've added a hook at /etc/zentyal/hooks/firewall.postservice to update the iptables nat table for my outbound OpenVPN connection.  I also use it to update the route table to force only certain IPs down that path, but have noticed that under some conditions (still to be determined) Zentyal will reset the route table back to the default.

Is there a similar hook I can use to update the route table each time Zentyal touches it.

Cheers.

20
Installation and Upgrades / Re: suricata Eats CPU
« on: August 22, 2013, 02:47:38 am »
Due to the way it works, Suricata is indeed resource consuming.
Even when I don't have any interfaces selected for IDS/IPS.

Cheers.

21
OK, eventually got to the root of this.

It needed an additional entry in the nat postrouting section:
Code: [Select]
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADEI guess this would all be done internally, if Zentyal would allow tun/tap interfaces to be defined as gateways.

Cheers.

22
Instead of 'grep 1194', try 'grep openvpn'.  Or 'iptables -L -n | grep 1194'.

One thing I noticed when I first set up VPN is that even though it's set up via Zentyal panels, it didn't automatically add the firewall rule to let the packets in.  I had to manually add that via the Network and Firewall settings.

Cheers.

23
Chrisian,  Thank you for replying, especially the hint about iproute2.  Now I understand how the default routing takes place:
Code: [Select]
ip route list table default
default via 142.129.208.1 dev eth0
However, that really doesn't help with the issue at hand.

Just for clarification, this is not a Zentyal <-> Zentyal tunnel.  It is Zentyal -> foreign VPN server.  This server does not advertise any networks, as by default it attempts to hijack the default route for all the traffic.  This fails within Zentyal because there is no default route in the kernel table:
Code: [Select]
Mon Jul 22 15:09:39 2013 SENT CONTROL [scothosts.com]: 'PUSH_REQUEST' (status=1)
Mon Jul 22 15:09:39 2013 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option NTP 10.10.10.1,dhcp-option DNS 10.10.10.1,ping-timer-rem,route 10.10.10.0 255.255.255.0,topology net30,ping 10,ping-restart 60,ifconfig 10.10.10.178 10.10.10.177'
Mon Jul 22 15:09:39 2013 OPTIONS IMPORT: timers and/or timeouts modified
Mon Jul 22 15:09:39 2013 OPTIONS IMPORT: --ifconfig/up options modified
Mon Jul 22 15:09:39 2013 OPTIONS IMPORT: route options modified
Mon Jul 22 15:09:39 2013 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Mon Jul 22 15:09:39 2013 ROUTE: default_gateway=UNDEF
Mon Jul 22 15:09:39 2013 TUN/TAP device tun0 opened
Mon Jul 22 15:09:39 2013 TUN/TAP TX queue length set to 100
Mon Jul 22 15:09:39 2013 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jul 22 15:09:39 2013 /sbin/ifconfig tun0 10.10.10.178 pointopoint 10.10.10.177 mtu 1500
Mon Jul 22 15:09:41 2013 NOTE: unable to redirect default gateway -- Cannot read current default gateway from system
Mon Jul 22 15:09:41 2013 /sbin/route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.10.10.177
Mon Jul 22 15:09:41 2013 Initialization Sequence Completed
The reason for the manual adding of the route is explained by Javier in this post.

So, my reading of the route and iproute2 information still leads me to believe that I have the routing correctly set.  This is confirmed by the fact that everything is routed, exactly as expected, for anything that takes place on the local Zentyal server.

So, I am back to the issue, which I believe is this.  Whatever mechanism is used to enable the transfer of outgoing packets from the LAN interface, eth1, to the WAN interface, eth0, is only allowing just that, eth1 -> eth0 and when the routing information kicks in, and attempts eth1 -> tun0, this is blocked.

Where would be the next place for me to investigate this aspect.

Cheers.

24
I've set up the OpenVPN Client on my Zentyal system and by creating my own config file have been able to successfully connect to the server.

It took me a while to realise that I needed to add my own route to the Kernel IP Routing Table to allow the traffic to flow via the tun0 interface instead of eth0.  The route I added only sends a certain IP range through the tunnel.  The rest is routed out to the internet normally.  The last line being the one I needed to add:
Code: [Select]
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.10.10.0      10.10.10.177    255.255.255.0   UG    0      0        0 tun0
10.10.10.177    *               255.255.255.255 UH    0      0        0 tun0
142.129.208.0   *               255.255.240.0   U     0      0        0 eth0
192.168.0.0     *               255.255.255.0   U     0      0        0 eth1
192.168.160.0   *               255.255.255.0   U     0      0        0 tap1
212.58.240.0    *               255.255.240.0   U     0      0        0 tun0
Now, from the Zentyal server itself, this is working perfectly.  If I traceroute to the 212.58.240.0 range, I see it going via the 10.10.10.0 hop.  If I traceroute any other address, then it goes straight to my ISP.

Now, the only issue is, I can only do this from the Zentyal server itself.  If I try routing anything to the 212.58.240.0 range from a machine in the internal LAN, then it just times out connecting.  I've tried browsing, traceroute, ping, telnet, etc. and it's always the same.  Zentyal server = success.  Machine on LAN = fail.

I initially thought it might be the firewall, but if it is nothing shows in the logs.  Also, the firewall is port based, not IP, so I don't really see it being that.

Any ideas of why my internal traffic is failing to be routed at all.

Also, I'm a little confused how the routing works anyway in an standard Zentyal system, as there is no "default" entry in the routing table to send the packets to my ISP gateway.

BTW  This is a fully up to date 3.0 system.

Cheers.

25
Installation and Upgrades / suricata Eats CPU
« on: July 13, 2013, 01:39:28 am »
Here's a quick screen shot after about 90 minutes of running.  During the whole period, Zentyal was just idle, nothing going on.  It's sorted on Time.

During the period, suricata was always around 10% -> 13%.

On the IDS/IPS panel there a no interfaces selected, so I wouldn't expect this to be running.

Zentyal 3.1-1 beta with all the latest updates applied.  Core version:  3.1.5.

Cheers.

26
Installation and Upgrades / Re: /boot partition full
« on: June 08, 2013, 01:02:14 am »
Installation disk zentyal 3.0 has been used with the use entire disk option, never adjusted the /boot partition?
Results of:
Uname -r: 2.6.32-5-amd64

dpkg --list | grep linux-image:
ii  linux-image-2.6-amd64                2.6.32+29                         Linux                                                             2.6 for 64-bit PCs (meta-package)
ii  linux-image-2.6.32-5-amd64           2.6.32-48squeeze3                 Linux
I'm not sure what's going on there.  Zentyal 3 uses precise, not squeeze and the kernel version is 3.5, not 2.6.

Exactly what is in /boot

Cheers.

27
Installation and Upgrades / Re: /boot partition full
« on: June 07, 2013, 07:40:32 am »
Do you mean that if you let Zentyal using the whole disk, it will create dedicated /boot partition?
Yes, and the rest of the disk as LVM, where it creates 2 logical drives.  One for / (root) and the other a swap partition.

I saw this on both a 2.2 and a 3.0 install to a clean disk.

Cheers.

28
Installation and Upgrades / Re: /boot partition full
« on: June 07, 2013, 07:21:14 am »
Then still the question: why such a small partition. Only 280MB....  ???
2 or 3 people have asked this question.

The answer is, that's what Zentyal allocates if you tell it to use the whole disk and let Zentyal do the allocations.   ;D

But I'm also with UdoB here.  My 240M /boot partition is less than half full with 4 kernel images.

Also a quick Google with "ubuntu remove old kernel" will tell you all about "apt-get purge" to clean up.  Just remember to leave the latest 2 images intact.

***Update***
After a quick "sudo dpkg --get-selections | grep image" followed by 2 x "sudo apt-get purge linux-image-3.5.0-<nn>-generic" commands, my boot is now only a quarter full.

Cheers.

29
Installation and Upgrades / Cannot Update UPS Settings
« on: June 06, 2013, 08:31:07 pm »
I'm trying to configure and test the UPS functions introduced into Zentyal and noticed an issue regarding the settings.

I cannot update any of the settings.  They all report back a "Missing argument: Value" error.  Screen shot attached.

This is a TrippLite UPS and is connected with the Smart2200RMXL2U (USB, newer models):  usbhid-ups driver.

Cheers.

30
Installation and Upgrades / Re: Unable to get pop3 certificate
« on: May 23, 2013, 09:18:08 am »
A little more information about certificates.  Not sure if it's relevant or not, but thought I'd add it.

As part of my ongoing check out of my 3.0-2 install, I set up an OpenVPN server the same way I had previously in 2.2.  When I downloaded the client bundle to my Linux laptop and tried to configure NetworkManager for an OpenVPN connection, the drop downs for User Certificate, CA Certificate, and Private Key could only see the .pem files for the User and CA Certificates.  The Private Key wasn't offered as an option, even though it had the same .pem extension.

After comparing the contents of the Private Key .pem file from 2.2 and 3.0 I noticed a difference.  For 2.2 the key was wrapped in these comments:
Code: [Select]
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Where the 3.0 export used this:
Code: [Select]
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
So, for NetworkManager, it actually looks at the contents of the file, not just the extension to determine if the file is usable or not.  After editing the file, and adding the "RSA" part to the comment wrapper, NetworkManager now recognises the file as a Private Key.

After configuration I was able to connect from my Laptop to the Zentyal server, so I'm guessing the key exchange at that point is good.

Could it be something similar with the pop3 certificate.

Cheers.

Pages: 1 [2] 3 4 5